Data Processing Agreement
Last updated: 10 July 2026
This Data Processing Agreement (the "DPA") sets out how Stravax Group LLC processes personal data on behalf of Stravax Engage customers. It forms part of the Terms of Service and applies whenever we act as your processor. You do not need to sign it: by accepting the Terms of Service, you accept this DPA.
1. Parties, scope, and incorporation
This DPA is between Stravax Group LLC, a company registered in the United Arab Emirates (licence 2537844.01), with a registered address at Shams Business Center, Sharjah Media City Free Zone, Al Messaned, Sharjah, UAE ("Stravax", "we", "us", the processor), and the business that holds the Stravax Engage account ("Customer", "you", the controller).
This DPA is incorporated into, and forms part of, the Terms of Service by reference. It governs the processing of personal data that you route through Stravax Engage, where you are the controller and we act as your processor. No separate signature is required: by accepting the Terms of Service, or by creating an account or using the platform, you accept this DPA on behalf of the business you represent. Where this DPA and the Terms of Service conflict on the processing of personal data, this DPA prevails. A negotiated written agreement signed by both parties prevails over this DPA to the extent of any conflict.
2. Definitions
- Controller: the party that determines the purposes and means of processing personal data. For data routed through the platform, this is you.
- Processor: the party that processes personal data on behalf of the controller. This is Stravax.
- Subprocessor: a third party engaged by the processor to process personal data on the controller's behalf.
- Personal data: any information relating to an identified or identifiable natural person that is processed under this DPA.
- Processing: any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
- Data subject: the identified or identifiable natural person to whom the personal data relates.
- Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data processed under this DPA.
3. Roles and scope of processing
For personal data you route through Stravax Engage, you are the controller and Stravax is the processor. The subject matter of the processing is the operation of the Stravax Engage platform for you. The duration of the processing is the term of your account, plus the limited retention and export periods described in section 11.
| Item | Detail |
|---|---|
| Nature and purpose | Processing to deliver the Service on your instructions: routing WhatsApp messages, storing your team inbox, running broadcasts, automation, and Shopify abandoned-cart recovery, maintaining lead and pipeline records in the CRM, and syncing the conversion events you configure to the ad accounts you connect. |
| Types of personal data | Your contacts' WhatsApp numbers and profile names; the content and metadata of the messages you send and receive; lead and pipeline records in the CRM; and the conversion events you choose to sync to ad platforms. |
| Categories of data subjects | Your contacts and customers, your prospects and leads, and the members of your team you add as users of your organisation. |
4. Customer instructions
We process personal data only on your documented instructions, including as set out in this DPA, the Terms of Service, and your configuration and use of the platform. We do not use your data for our own purposes and do not sell it. If we believe an instruction breaches applicable data protection law, we will inform you. If we are required by law to process personal data other than on your instructions, we will inform you of that requirement before processing, unless the law prohibits it.
You warrant that you have a lawful basis and, where required, valid opt-in and consent to message your contacts through WhatsApp and to route their personal data through the Service, and that your instructions comply with applicable law.
5. Confidentiality of personnel
We ensure that personnel authorised to process personal data under this DPA are bound by an appropriate duty of confidentiality and process the data only as needed to deliver the Service.
6. Security measures
We take reasonable technical and organisational measures to protect personal data. These include:
- Encryption of data in transit.
- Isolation of each customer's data to its own tenant.
- Scoped and controlled access to data.
- Storage of message media separately from metadata.
- Management of secrets using our hosting provider's secret storage.
No system is perfectly secure, but we maintain measures appropriate to the risk. We may update these measures over time, provided the level of protection is not materially reduced.
7. Subprocessors
You give us general written authorisation to engage subprocessors to process personal data in order to deliver the Service. Each subprocessor processes data only as needed and under its own terms, and we take reasonable steps to ensure each protects data appropriately. Our current subprocessors are:
| Provider | Purpose |
|---|---|
| Meta / WhatsApp | The WhatsApp Business Platform that sends and receives your messages. |
| Cloudflare | Hosting, database, message and media storage, and platform security. |
| Resend | Transactional and notification email. |
| Shopify | Store and order data for abandoned-cart recovery, where you connect a store. |
| Stripe | Payment processing for paid plans. |
| Google and Meta (Ads) | Receiving the conversion events you choose to sync to ad accounts you connect. |
We will give you notice before adding or replacing a subprocessor, so that you have a reasonable opportunity to object on reasonable data protection grounds. If you object and we cannot reasonably accommodate your objection, you may stop using the affected feature or terminate your account as your remedy.
8. Data subject rights
Taking into account the nature of the processing, we assist you by appropriate technical and organisational measures, so far as reasonably possible, in responding to requests from data subjects to exercise their rights under applicable law, including access, correction, deletion, objection, and restriction. If a data subject contacts us directly about data we process on your behalf, we will refer them to you, as you are the controller of that data.
9. Personal data breach notification
If we become aware of a personal data breach affecting the personal data we process on your behalf, we will notify you without undue delay. Our notice will describe the nature of the breach and the information reasonably available to us, so that you can meet your own notification obligations, and we will take reasonable steps to mitigate its effects.
10. International transfers
We process personal data in the United Arab Emirates. Some of our subprocessors, including Meta and Cloudflare, operate global infrastructure, so data may be processed outside the UAE. Where that happens, we rely on those providers' own safeguards for such transfers.
11. Deletion and return on termination
Message content and media are retained while your account is active and are deleted or made available for export within a reasonable period (typically 30 days) after termination. After that period, we may delete the data, unless we are required to retain it by applicable law. Account and billing data are retained as described in our Privacy Policy.
12. Audit and information rights
On reasonable written request, and no more than once a year unless required by a regulator or following a personal data breach, we will make available information reasonably necessary to demonstrate our compliance with this DPA. Any audit is subject to reasonable confidentiality and security conditions and must not disrupt the Service or the data of our other customers.
13. Liability
Each party's liability under this DPA is subject to the limitation of liability set out in the Terms of Service.
14. Governing law
This DPA is governed by the laws of the United Arab Emirates, including UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and any dispute is subject to the exclusive jurisdiction of the competent courts of the United Arab Emirates.
15. Contact
Questions or data protection requests under this DPA: [email protected], Stravax Group LLC, Shams Business Center, Sharjah Media City Free Zone, Al Messaned, Sharjah, UAE.
This DPA covers processing on the Stravax Engage platform. Custom or managed engagements may be governed by an additional written agreement, which prevails over this DPA to the extent of any conflict.